identityjunkie.com

Can ADFSv2 Beta2 work with ZXID?

2009-11-11T21:08:00.001-08:00

This week, we configured interoperability with an STS running ZXID for SP-initiated SSO. ZXID is an open source IdM for SAML SSO. It’s basically an Apache httpd auth module for SAML SSO. It uses pure SAML 2.0 and ID-WSF Web Services, and others language bindings supported through SWIG. More on the product can be found here and how it works:

OpenLiberty Secure Identity Web Service
Apache with mod_auth_saml Receipe

Thoughts? Pretty cool…

FIM RC1: Access to the requested resource(s) is denied

2009-10-16T10:30:00.001-07:00

A common attribute used in ILM projects is the “Employee Status” attribute. In RC1, this value does not exist for the user resource type within the portal. Additionally, there might be more attributes you need to create and associate with any resource type; therefore, after going through the procedures documented in the “Introduction to Schema Management” guide, you’ll probably experience the following error when exporting data from the FIM MA:

"failed-web-motification-error"

Type: Microsoft.ResourceManagement.WebServices.Client.PermissionDeniedException

Message: Access to the requested resource(s) is denied

Stack Trace:    at Microsoft.ResourceManagement.WebServices.Client.UninitializedResource.PerformUpdate()
   at Microsoft.ResourceManagement.WebServices.Client.UninitializedResource.Update()
   at MIIS.ManagementAgent.RavenMA.ExportObjectModification(DataSourceObject dsObject, SchemaManager schemaManager)
   at MIIS.ManagementAgent.RavenMA.Export(DataSourceObject dsObject)

As Joe mentions on the forums, in RC1 the default MPRs list explicit attribute values within the list of resource attributes versus just saying “All Attributes.” Any custom attribute needs to be added in order for the synchronization account to update them during an export procedure. To do so, just add the attribute to the “Synchronization: Synchronization account controls users it synchronizes” MRP. Not sure if this is relevant, but I had to cycle my FIM Service for it to apply immediately.

Automating MOSS 2007 installs

2009-09-16T22:23:00.001-07:00

Let’s build onto the process described in my last post. This time, let’s look at automating the setup of MOSS 2007. Here is a link which describes the process for “slipstreaming” the MOSS setup files with SP1; therefore, I’m going to skip that. Apparently, the Product Group has released a downloadable version also, so this might be useful for future service packs and updates.

Depending on where you want to go, if you still need to install SQL…you can bolt this process right on top of the unattended SQL installation procedure. For me, this comes in handy when re-building my farm(s) for development.

The pre-requisites for installing MOSS 2007 on Windows 2008 are to install the web server role w/ the IIS6 management components. You can do this by using servermanagercmd.exe with the –I switch + the [Web-WebServer] and [Web-Mgmt-Compat] components. For example:

servermanagercmd -i Web-WebServer

servermanagercmd -i Web-Mgmt-Compat

Assuming SQL is already provisioned and you have a slipstreamed install directory, you can proceed to setup a configuration file for setup. Be sure to install the pre-requisites, then you can proceed to use the /config [path and file name] switch to reference a Config.xml file to setup MOSS 2007. If you’ve slipstreamed your installation files with SP1, the updates will be applied during the installation. Here is the TechNet link on how to use the Config.xml for controlling installs or doing more advanced installations.

Below is a sample configuration file I use for simple farm installation, using the following syntax:

\\..\...\MOSS2007_FullSP1\x86Setup\setup.exe /config “config.xml”

- <Configuration>

- <Package Id="sts">

</Package>

- <Package Id="spswfe">

</Package>

</Configuration>

Automating SQL 2008 w/SP1 installs

2009-09-16T22:01:00.001-07:00

Building customer solutions can require the maintenance of many development environments; therefore, I’d rather not be spending my whole day doing watching the progress bar of some app install. In addition, each development environment may differ slightly in configuration; therefore I need the ability to just point and click for installs, yet I still need to provide the flexibility to change the installation configuration when needed. There are many ways to do this…I know folks that have built elaborate deployment tools that leverage either SQL or XML to get configurations; however here are some ideas for how I do things using syspreped VM images. This process can easily be packaged and integrated into a nice automated build process using something like SCCM.

Slipstreaming Source Installation Binaries: Installing prerequisite software is a pain, especially if you have to go back around and patch or apply a service pack. As a best practice, it is always best to build using the “most current” advertisements and patches. We all know, applying patches is something that won’t go away, however if I can reduce my deployment time by merging service packs (which always take long), I can make my process more efficient. Here is a post that provides the steps for slipstreaming SQL 2008 with SP1.

Creating a merged (slipstreamed) drop containing SQL 2008 + Service Pack 1

Unattended Installation: Unattended installations methods provide value from automation, in addition to insuring consistency in the configuration of a system. For example, say I’m deploying across many systems such as a web farm. I’d want the build automated versus going to each machine. SQL 2008 supports unattended installs by using a configuration file. This configuration file provides the ability to deploy SQL throughout the enterprise with the same configurations. Here is the MSDN link which covers installing SQL using configuration files.

How To: Create an installation directory to store the source installation files. Within that directory, you can store any pre-requisites. For example, mine is: \\XXX.XXX.XXX.XXX\Source\SQLServer2008Ent_FullSP1\Soruce

Within the pre-requisites directory (\\XXX.XXX.XXX.XXX\Source\SQLServer2008Ent_FullSP1\Pre-Req), I keep the following support files:

The installation directory (\\XXX.XXX.XXX.XXX\Source\SQLServer2008Ent_FullSP1\Setup) maintains:

Installation Files
Configuration File (ConfigurationFile.ini)

The following commands can be wrapped up into a batch file or installation package to be executed by the installation process.

dotnetfx35.exe /qb /norestart
NDP35SP1-KB958484-x86.exe /q /v /norestart
wusa Windows6.0-KB942288-v2-x86.msu /quiet (will require reboot)
setup.exe /SQLSVCPASSWORD="********" /AGTSVCPASSWORD="********" /ConfigurationFile="%Path to ConfigurationFile.INI%"

Transitioning to Geneva Framework and Server

2009-06-25T09:55:00.001-07:00

This week, I’m getting the opportunity to play catch-up and get my feet wet with Geneva. So far, it’s awesome because there is so much material already out! As soon as all my pre-reqs are installed, integration with VS 2008 immediately worked {Per DL “huh, a Beta product working” =-)}! Yep, the option to “Create a new STS project in the current solution” is pretty slick. Developers can begin building an application immediately without having to wait for the IT guy; therefore keeping everything within VS until time to deploy a build.

If you’ve already played with the federation stuff, I suggest watching Channel 9’s interview with Donovan Follette on making the shift from ADFS v1 to Geneva and Jan Alexander on the claims transformation language in Geneva Server Beta 2. Both address all the important things you need to know to get started such as the new concepts Geneva introduces and how they relate to the old concepts used in ADFS v1.

Check it out, the links to Channel 9 are above!

AD PowerShell Cmdlets & AD WebServices

2009-04-08T00:14:00.001-07:00

New features coming out for Windows Server 2008 R2 that I’m really interested in are the AD PowerShell Cmdlets and AD WebServices. This evening, I happened to stubble on PG’s blog, “Active Directory PowerShell Blog” which provided some valuable info on what’s coming soon! Of course, the first thing I did after reading a the first few posts is begin my download of R2 so I can begin playing with them myself. So much to learn, so little time…

Let me summarize what’s new:

Basically, the AD PsH cmdlets will immediately support 4 categories (Account, Topology, DS Object, Providers) for AD administration. Here is a link which breaks down the actual cmdlets. Just with what you see, you can bet there is a lot of opportunity for extensibility (or as they refer to it, “Advanced Functions!”

The next thing is the AD WebServices, which support both ADAM and AD upon installation.

Here is the link to their blog:

Active Directory PowerShell Blog

Using PowerShell and S.DS.AD to create Sites and Service objects

2009-03-07T17:02:00.001-08:00

System.DirectoryServices.ActiveDirectory (S.DS.AD) is a .NET namespace available for performing common tasks related to Active Directory Domain Services. S.DS.AD differs from S.DS in that it is a pure .NET interface which allows us to extend deeper into DS development. See S.DS.AD Scenarios here.

With PowerShell (PSH), we can leverage the classes in this namespace for common manual tasks that can be scripted. For example, in a migration scenario, managing AD sites and services can be time consuming to set up. Here are some functions I wrote which allow you to automate these process using PSH.

To do bulk creations of site objects, you would store your configuration in a CSV file and use them as parameters to each PSH function.

Say we need to 1. Create Sites, 2. Create Subnets, 3. Create SiteLinks, and 4. Configure our SiteLinks. Using Excel, you can create 4 CSV source files for each task, then use the Import-CSV and ForEach-Object cmdlets to call each function for each record.

For example:

Import-Csv C:\importFile.csv ForEach-Object {Create-Site $_.SiteName}
Import-Csv C:\importSubnets.txt ForEach-Object {Create-SubNet $_.SubNet $_.SiteName}
Import-Csv C:\importSiteLinks.txt ForEach-Object {Create-SiteLink $_.SiteLinkName $_.Site $_.Cost $_.Interval}

Here are the PSH functions:

Creating AD Sites

Function Create-Site{Param ($siteName)
$forest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
$type = [System.DirectoryServices.ActiveDirectory.DirectoryContextType]"forest"
$contextType = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext($type,$forest)
$site = New-Object System.DirectoryServices.ActiveDirectory.ActiveDirectorySite($contextType,$siteName)
$site.Options = [System.DirectoryServices.ActiveDirectory.ActiveDirectorySiteOptions]::GroupMembershipCachingEnabled
$site.Save()
Write-Host "Creating site object $siteName..." }

Creating AD Subnets

Function Create-SubNet{Param($subNetName,$siteName)
$forest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
$type = [System.DirectoryServices.ActiveDirectory.DirectoryContextType]"forest"
$contextType = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext($type,$forest)
$site = [System.DirectoryServices.ActiveDirectory.ActiveDirectorySite]::FindByName($contextType, $siteName)
$subnet = New-Object System.DirectoryServices.ActiveDirectory.ActiveDirectorySubnet($contextType,$subNetName,$site)
$subnet.Save()
Write-Host "Creating subnet object $subNetName..." }

Creating AD SiteLinks

Function Create-SiteLink{Param($siteLinkName,$siteName,$siteCost,$repInterval)
$forest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
$type = [System.DirectoryServices.ActiveDirectory.DirectoryContextType]"forest"
$contextType = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext($type,$forest)
$trans = [System.DirectoryServices.ActiveDirectory.ActiveDirectoryTransportType]::Rpc
$site = [System.DirectoryServices.ActiveDirectory.ActiveDirectorySite]::FindByName($contextType,$siteName)
$link = New-Object System.DirectoryServices.ActiveDirectory.ActiveDirectorySiteLink($contextType,$siteLinkName,$trans)
$link.Cost = $siteCost
$link.ReplicationInterval = $repInterval
$d = $link.Sites.Add($site)
$link.Save()
Write-Host "Creating siteLink object $siteLinkName..." }

Adding Sites to a SiteLink

Function Add-SitetoSiteLink{Param($siteName,$siteLinkName)
$forest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
$type = [System.DirectoryServices.ActiveDirectory.DirectoryContextType]"forest"
$contextType = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext($type,$forest)
$site = [System.DirectoryServices.ActiveDirectory.ActiveDirectorySite]::FindByName($contextType,$siteName)
$link = [System.DirectoryServices.ActiveDirectory.ActiveDirectorySiteLink]::FindByName($contextTye,$siteLinkName)
$link.Sites.Add($site)
$link.Save() }

Installing ADAM on Vista SP1

2008-12-17T11:24:00.001-08:00

To date, Microsoft still hasn’t released an ADAM build for Vista. We’ve since had to hack our way to get ADAM installed; however, the release of Vista SP1 presented a new set of obstacles. Basically what you’ll see is an “Entry Point Not Found” error which references the VSSAPI.DLL. In order to overcome this, you just copy the older version of the VSSAPI.DLL into the ADAM directory on your Vista machine (Thanks siudyda.com for the post).

Here are the steps to get ADAM installed on an Vista SP1 build:

Install ADAM on a non-Vista machine.
Copy the %WINDIR%\ADAM folder from your non-Vista machine to the same location on your Vista machine.
Create a new registry key HKLM\Software\Microsoft\Windows\CurrentVersion\ADAM_Shared. Under this key, create a new Multi-String value named “SharedFolders”.
Run the adaminstall.exe from the %WINDIR%\ADAM directory. Do not import any LDIF files. Note: if you experience the error mentioned above, just copy the older version of VSSAPI.DLL into your ADAM directory.
Complete the wizard and you should have a fully functional ADAM instance. All you need to do is import the LDIF files you want to design your schema.

Invalid DN Syntax when creating new object classes in ADAM

2008-10-04T11:45:00.001-07:00

When recreating an ADAM directory for a project that uses custom object classes, I ran into a problem attempting to import my schema using Ldifde.exe using the following command line:

“ldifde -i -u -f export_prod_schema.ldf -s server:port -b username domain password -j . -c "cn=Configuration,dc=X" #configurationNamingContext”

Below is the error my logfile reported:

Entry DN: cn=xxxxx,cn=Schema,#configurationNamingContext

Add error on line 15: Invalid DN Syntax

The server side error is "The object name has bad syntax."

An error has occurred in the program

The problem was actually in Ldifde.exe itself. Apparently, the version of Ldifde.exe from the system32 directory does not support #macros. You have to use the version provided with the ADAM (%windir%\ADAM) installation.

Thanks to Dmitri Garilov for posting this in the news group.

Reminder: C# character escape sequences

2008-09-24T21:09:00.001-07:00

C# defines the following character escape sequences:

\' - single quote, needed for character literals
\" - double quote, needed for string literals
\\ - backslash
\0 - Unicode character 0
\a - Alert (character 7)
\b - Backspace (character 8)
\f - Form feed (character 12)
\n - New line (character 10)
\r - Carriage return (character 13)
\t - Horizontal tab (character 9)
\v - Vertical quote (character 11)
\uxxxx - Unicode escape sequence for character with hex value xxxx
\xn[n][n][n] - Unicode escape sequence for character with hex value nnnn (variable length version of \uxxxx)
\Uxxxxxxxx - Unicode escape sequence for character with hex value xxxxxxxx (for generating surrogates)

Of these, \a, \f, \v, \x and \U are rarely used in my experience.

link to original post

ADFS and MySites - Enabling MySites with the Web Single Sign-On (SSO) authentication provider

2008-09-04T15:38:00.001-07:00

There have been few online questions regarding enabling MySites interoperability with ADFS. To answer the question if it’s possible, yes.

The process is actually very simple and similar to configuring forms based auth in MOSS 2007.

So it’s probably safe to assume, by this time you’ve already completed the step-by-step guide for enabling MOSS 2007 as a claims aware application; therefore this post is a walkthrough on how to configure the Web Single Sign-On authentication to interoperate with MySites.

Assuming you already have a functional claims-aware instance of MOSS 2007 configured, when logged in as a federated user you should see that the MySites link is missing. The reason for that is MySites is tied to the Shared Service Provider which has not yet been extended to use the Web Single Sign-On (SSO) authentication provider.

In order for federated users to have access to MySites, Web Single Sign-On needs to be configured to interoperate with My Site applications.

For simplicity sake, this walkthrough assumes the MySites collection is within the same web application of the site to which they are associated. For example, https://<sharepointserver>/mysites. The recommended design from Microsoft is to have MySites as its own web application and managed independently. I’m lazy and only have a VM to prove my point, so here it is. Recommended designs for MySites should be referenced in the best practice documentation in TechNet.

Within Central Admin:

1. When first configuring your Shared Service Provider, you probably configured it under the Default zone with NTLM authentication. Extend the SSP web application to use an additional authentication provider and assign it to the Custom or Extranet) zone. (Note: Zones identify the logical separation of access restrictions to the same content.) Be sure to include the details such as port number where the new application will be hosted in and choosing the zone that this extended Web application will reside under. In my case, I extended the web application under my existing federated URL, http://extranet.treyresearch.com:<port>.

2. Configure the authentication provider of this extended web application for Web Single Sign-on (SSO). Be sure to specify the Membership Provider Name as [SingleSignOnMembershipProvider2] and Role Manager Name as [SingleSignOnRoleProvider2].

3. At this point, add a provider section to the Web.config of the extended Web application. This would virtual directory for the SSP (C:\Inetpub\wwwroot\wss\VirtualDirectories\<port number of SSP>. The following snippet should be copied and pasted under the <system.web> node within the web.config.

<membership>

<providers>

<add name="SingleSignOnMembershipProvider2" type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvider2, System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" fs="https://fs.treyresearch.com/adfs/fs/federationserverservice.asmx" />

</providers>

</membership>

<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">

<providers>

<remove name="AspNetSqlRoleProvider" />

<add name="SingleSignOnRoleProvider2" type="System.Web.Security.SingleSignOn.SingleSignOnRoleProvider2, System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" fs="https://fsserver/adfs/fs/federationserverservice.asmx" />

</providers>

</roleManager>

Be sure to update the <fsserver> name to reflect the web service URL of the federation server. Do an “iisreset” for the configuration to take place.
4. When you’ve completed this task, the People Picker should be able to resolve organizational claims for this web application using the SingleSignOnMembershipProvider2 membership provider.

5. Assign your federated users Personalization services permissions. Do this by browsing the SSP Admin Site: <ssp name> User Profiles and My Sites Personalization service permissions. Using the Add Users/Group link you can enter the name of your organizational claims representing your portal users. Hit the Check Names button and watch the name resolve.
Grant the following rights to the users, (1) Create personal site and (2) Use personal features.

6. The next step is to grant federated users permissions to the MySites Host. Within the SSP Admin site, navigate to SSP Admin Site: <ssp name> User Profiles and My Sites My Site settings, then within View All Site Content My Site Host Permissions.

7. Add your organizational claim that represents your federated users. You actually create a claim that defines the various types of users and set their rights here. For example, Portal Admins and Portal Users.

8. Typically you wouldn’t want to assign other users Read permissions to other users to view public areas of MySites. The default behavior grants NT AUTHORITY\authenticated users to read other users MySites. You have to grant the organizational claim representing your federated users here. Browse to your SSP Admin Site, SSP Admin Site: <ssp name> User Profiles and My Sites My Site settings. Within the Default Readers Site Group, add the organizational claim here.

9. Now test the configuration from the client computer within the account partner. Browse to https:/extranet.treyresearch.com which should authenticate you through the federated trust. The first thing you should notice is that the MySites link is now available.

10. When you click it, your site is created!

SharePoint and ILM integration

2008-06-06T13:55:00.001-07:00

As more and more companies standardize intranet/extranet portal platforms onto SharePoint 2007 (MOSS 2007), the need to integrate identity-related needs will be asked of the ILM Administrator. It makes sense...MOSS 2007 is the front-end for business communication, web-based collaboration, information-sharing, and workflow capabilities. As many already know, ILM2 will have a WSS front-end; therefore tying it's built-in functionality into your existing intranet is a no brainer...

Just in case you hadn't seen this, Alex Tcherniakhovski has something that may provide you insight for integration (or at least give you a base to work with). At most, these should provide a good template for creating an XMA that leverages one of the out-of-box (or custom) web services from MOSS 2007.

Connecting ILM 2007 with SharePoint Service Lists

Below is a brief rundown of the Web services that a MOSS 2007 makes available out of the box:

http://server:5966/_vti_adm/Admin.asmx - Administrative methods such as creating and deleting sites
http://server/_vti_bin/Alerts.asmx - Methods for working with alerts
http://server/_vti_bin/DspSts.asmx - Methods for retrieving schemas and data
http://server/_vti_bin/DWS.asmx - Methods for working with Document Workspaces
http://server/_vti_bin/Forms.asmx - Methods for working with user interface forms
http://server/_vti_bin/Imaging.asmx - Methods for working with picture libraries
http://server/_vti_bin/Lists.asmx - Methods for working with lists
http://server/_vti_bin/Meetings.asmx - Methods for working with Meeting Workspaces
http://server/_vti_bin/Permissions.asmx - Methods for working with SharePoint Services security
http://server/_vti_bin/SiteData.asmx - Methods used by Windows SharePoint Portal Server
http://server/_vti_bin/Sites.asmx - Contains a single method to retrieve site templates
http://server/_vti_bin/UserGroup.asmx - Methods for working with users and groups
http://server/_vti_bin/versions.asmx - Methods for working with file versions
http://server/_vti_bin/Views.asmx - Methods for working with views of lists
http://server/_vti_bin/WebPartPages.asmx - Methods for working with Web Parts
http://server/_vti_bin/Webs.asmx - Methods for working with sites and subsites

Password Sync using the SAP ERP MA

2008-03-12T01:56:00.001-07:00

Does the Microsoft ERP MA from Microsoft support password synchronization? My immediate answer is yes, however there are a few things you need to consider. Most of all, the reason for this is that the documentation is pretty cryptic in itself and unless you are on a SAP project or have a development environment available, being able to test this yourself can be challenging.

According to the ERP MA README.htm, only "administrative password reset" operations are supported. Now, referencing the PCNS technical material, I found the definition as follows:

"An automated password synchronization solution in ILM allows users to change their passwords in all connected data sources that are configured for automated password synchronization. Typically, users can press CTRL+ALT+DEL on the keyboards to initiate a password change.

This is a password change operation, not a password set or reset operation. For a password change operation, a user must know the previous password when attempting to change passwords. For a password set or reset operation to occur, a user does not have to know the previous password to set or reset the password to a different value. The automated password synchronization solution is a password change operation because users know the previous password."

Well, this is a question that comes up a lot and this post should provide you with an idea of how to sync passwords between SAP and AD. An article I'd like to credit is the thread between Markus and Peter regarding this topic. Here Peter talks on a method similar to what I've run into.

My experience is initially, it seemed like password synchronization would work out-of-box; however an issue I ran into was that whenever a system administrator assigns a new password to users, the new password is marked as "initial." Users have to change their initial passwords at first logon. Apparently, I though you could simply just turn this option off. According to the SAP Knowledge Warehouse, you have to modify the SAP User Management Engine (UME) properties using their Config Tool. (Your SAP Admin should be familiar with this and provide feedback.) The setting you modify is the ume.logon.security_policy.password_change_required to reflect, False (not to require a password change at first logon). Well, the final solution resulted in creating a new SAP BAPI, similar to what Peter did. (Thanks Franciso Corona for confirming!) From there, as long as the password policies aren't conflicting each other, you should be good.

Other obstacles I’ve run into that have prevented me from syncing passwords are the policy limitations applied in SAP. Depending on version, the following rules may apply:

Passwords must be 3-8 characters long.
Passwords cannot begin with 3 identical letters
Passwords cannot begin with a “?” or a “!” or a space.
Passwords cannot be identical as the previous passwords used
Passwords cannot be “SAP” or “Pass”
Passwords cannot begin with the first letters of your name.

Most typically, by leverage AD as an authentication provider, this would get you the closest to achieving true single sign-on; however we understand that isn’t the case in many scenarios.

If you are running SAP on Windows, SAP GUI can be configured to authenticate against AD (including Kerberos SSO without any 3^rd party vendors). This does not apply to UNIX; here you would need something like Centrify.

If you are just using SAP Enterprise Portal and IViews, SAP Portal can be configured to authenticate against AD or ADAM.

Understanding the inner workings of SAP from MIIS (ILM) Perspective

2007-12-14T01:48:00.001-08:00

The past few posts, I’ve really concentrated on the Microsoft ERP MA for SAP integration. Although my world revolves around identity management, a huge piece of that I spend on integration of systems throughout the enterprise that do not share a common platform. One of which is SAP. By no means would I consider myself an SAP Consultant; however the need to understand the inner-workings of foreign systems only makes my job that much easier. Surprisingly, SAP is one of those systems we find customers having difficulties integrating into different connected data sources all around the enterprise.

This post will further concentrate on key components of SAP; most typically how SAP communicates to the outside world. From here, you can better understand how to achieve proper integration.

The first thing is to understand some key concepts of SAP. SAP talks through various Business Application Programming Interfaces also known as BAPIs. These interfaces are object-oriented methods which are the data-handling mechanisms used in SAP Systems. Knowledge of how to instantiate these objects are the most powerful tool in an SAP consultant’s arsenal. BAPIs are business objects similar to transactional records, master records, or datasets. They are most used when calling data in and out of SAP. Although out of the box, there are several hundred BAPIs available for use; they can also be customized to fit any business need required.

Another key concept to BAPIs and most often confused are IDocs. IDocs are data transports and are about moving data between systems and modules within SAP. Ultimately, BAPIs are the mechanisms for getting data in and out of SAP; therefore when integrating SAP with MIIS, you will be invoking or passing parameters to BAPIs to retrieve any type of data.

Remote Function Calls (or RFCs) are function modules that are called within a BAPI. They relate to each other as a BAPI is a business object; whereas an RFC is the functional code.

A perfect example of what happens is, (A) you call a BAPI, then (B) pass parameters to invoke RFCs.

ILM (MIIS) and the Microsoft ERP Management Agent - Part 3

2007-12-06T00:36:00.000-08:00

In my previous post, I provided an overview of how we communicate within .NET to SAP Systems. Now, let’s take a look at how this relates to ILM (MIIS). The ERP MA provides a tool called to build the connector space. (Yes, you must build out your connector space by (1) defining the schema of attributes and (2) declaring what BAPIs to invoke and where (add, replace, delete, setpassword). This is accomplished through the ERP Configuration Tool. The document recommends using the provided template files to get started; however in my experience they were much harder to customize. IMHO it was much easier to build my connector space from scratch.

Once you’ve completed, you can create the SAP MA which to do so, you need to input the XML configuration file that is created by the ECT. You should then be able to see the entire attribute list with all the normal functions of any other management agent.

How do my previous posts relate to where we are now; well here is how the MA works.

Building the ERP MA configuration file using the ECT; the configuration of the MA is performed by discovering the SAP environment using the SAP connector for Microsoft .NET 2.0 and generating an XML. This essentially discovers all the BAPIs and stores them in a local cache file.
Configuration UI communicates with SAP to discover the BAPIs and other configuration for display.
XML configuration, proxy assemblies and schema definition file generated by the UI. You are building out your connector space.
Creation of the MA happens in MIIS and consumes schema file which MIIS uses to synchronize with SAP.
ERP MA SAP assembly consumes XML configuration and proxy assemblies at run time provides wrapper to RFC calls directly to SAP Server
The diagram below (provided from the CHM) details what happens under the covers.

Now that you understand the process for communication, you can now proceed to determine what to do with the data you import/export. Key things to understand when using the Microsoft ERP MA are the following:

***Understand the process of Alias and Alias-referencing. That is the core of how the MA works.

ILM (MIIS) and the Microsoft ERP Management Agent - Part 2

2007-12-04T22:00:00.001-08:00

In part of my last post, here we should do an overview of the SAP .NET Connector. Essentially, it is a programming environment inside of Visual Studio that enables us to communicate between the .NET platform and SAP Systems. Communication is facilitated through proxy classes which call and/or invoke BAPI functions in SAP. The connector support both SAP RFCs and Web Services which allow you to write various applications using any .NET language. Pretty straight forward, huh?

Anyhow, the connector is made up of several parts. As I mentioned, first it’s pretty tightly integrated with Visual Studio for generating SAP proxies. The proxies are used to call BAPI functions through either the SAP RFC protocol (librfc32.dll) or via SOAP. Do note, per the documentation...Release 4.6D does not have SOAP support while systems starting from 6.20 can use either. At the moment, the most current version of the connector is built for .NET 2.0 (SAP Connector for Microsoft .NET 2.0). Additional dlls that are part of the assembly is the SAP.Connector.Rfc.dll and LibRfc.dll. (LIBRFC32.dll, is in Release 6.20 and higher). The diagram below, details the runtime architecture and how communication is facilitated using the .NET Connector.

ILM (MIIS) and the Microsoft ERP Management Agent - Part 1

2007-12-04T01:01:00.001-08:00

In my current project, I’ve had the opportunity to work with the Microsoft ERP Management Agent for SAP. As many already know, SAP is a huge applications and a common connected data source which in most (or some) cases acts as the authoritative source for HR related data. MIIS can be used to facilitate or broker identity data and identity management related tasks to and from this connected data source and to many others. In my opinion, MIIS and SAP integrate very well which I thought I’d write about how MIIS connects to SAP to synchronize identity data to and from the connector space. From here, I hope you can get a better understanding on how to integrate SAP into your existing MIIS environment.

Prior to the release of the ERP MA by Microsoft, MIIS developers connected to SAP systems by custom XMAs using the SAP .NET Connector. For example, Oxford Computer Group had developed a management agent for SAP which has been proven successfully in many environments way before the Microsoft ERP MA was even released. Regardless, here is how connectivity is accomplished using the ERP MA from Microsoft.

Before I start, the Microsoft ERP Management Agent can be downloaded from the following link or obtained within the ILM 2007 FR1 installation media.

Microsoft Enterprise Resource Planning Management Agent for SAP

The base requirements for this management agent are:

Microsoft Identity Integration Server 2003 SP2 or ILM 2007
The SAP .NET Connector 2.0
Microsoft .NET Framework, version 1.1 or higher

In order to connect to SAP, you should first understand some concepts of SAP.

BAPI (Business Application Programming Interface) – a function that performs a specific operation inside the SAP environment
InfoTypes – structures used as parameters to BAPIs
RFC (Remote Function Calls) – a method for accessing a BAPI from another computer via the network
SAP Connector for Microsoft .NET 2.0 – a managed component from SAP that enables RFC to BAPIs in a SAP application server

It’s pretty late now, so in my next part I will write more details on how the SAP .NET Connector works and how it relates to MIIS and the ERP MA.

ERP MA bug in ILM 2007 FP1

2007-11-27T21:35:00.001-08:00

Apparently there is a known bug in the ERP MA for SAP that comes with ILM 2007 FP1. This bug prevents you from configuring the outbound flow of an anchor attribute. When mapping an attribute to csobject.anchor, this prevents you from setting the flag which defines this attribute as an identity for the object and prevents you from exporting when invoking a BAPI that needs the reference.

Microsoft is aware of the bug which might be fixed next week; however the expectation should be assumed for mid-January.

So far, I’ve still using the version of the MA downloadable from the following link which is working fine.

Setting Terminal Service Properties in .NET

2007-09-13T04:05:00.001-07:00

I recently had the requirement of managing Terminal Service properties in AD by means of MIIS. If you've ever been tasked with this, you may have noticed there are many VBScript and C++ snippets online with very few .NET examples. Therefore, I've decided to post how to accomplish this in .NET for those interested.

Initially, you'd think this is pretty easy...why couldn't I just flow any value through to AD using an advanced attribute flow within an MA rule extension? Well, not in this case. If you look into a user objectClass in AD through ADSIEdit, you'll notice these attributes are not directly exposed. Although I was able to populate some of the values through System.DirectoryServices, not all were accessible. Further research uncovered you can manage Terminal Service properties using the ADSI Extension for Terminal Services User Configuration. This extension is an assembly that allows you to manage Terminal Server user properties though the IADsTSUserEx Property Method. Below is sample code I used to test the functionality.

using TSUSEREXLib;
using System.DirectoryServices;
using System;
using System.Collections.Generic;
using System.Text;

namespace Set_Terminal_Service_Properties
{
class Program
{
static void Main(string[] args)
{
string acctName = "chrisca";
string tsHomeDrive = "H:";
string tsHomeDirectory = "\\\\servername\\tshomedirectory\\";
string tsProfilePath = "\\\\servername\\tsprofilepath\\";
int enableLogon = 1; // enable terminal service logins

DirectoryEntry entry = new DirectoryEntry
("LDAP://CN=Chris Calderon,CN=Users,DC=corp,DC=contoso,DC=com");
ADsTSUserEx oUser = (ADsTSUserEx)entry.NativeObject;
oUser.AllowLogon = enableLogon;
oUser.TerminalServicesHomeDirectory = tsHomeDirectory + acctName;
oUser.TerminalServicesHomeDrive = tsHomeDrive;
oUser.TerminalServicesProfilePath = tsProfilePath + acctName;
entry.CommitChanges();
entry.Close();
}
}
}

As you can see, you use the extension in the same manner as you would any ADSI statements. A key item to consider is, the properties that the Terminal Service User component exposes is not directly mapping individual AD attributes. Common with ADSI, when calling these methods to load the property values of the ADSI object, it stores this information into the property cache of the directory store. Only until the IADs::SetInfo method is called (or something equivalent), the property value changes are saved.

This component consists of one DLL (TSUSEREX.DLL), located within the %SystemRoot%\System32 directory. In order to use the IADsTSUserEx interface, you must reference this assembly within your project. The link below provides a table that lists the property methods of the IADsTSUserEx interface.

IADsTSUserEx Property Methods Details

My original goal is to eventually build an XMA for auxiliary attributes; however the core requirement to do that is to identify a method to access (read/write) these attributes.

Limitations of Office Integration in a Federated SharePoint Configuration

2007-08-11T03:39:00.001-07:00

For the past year, I've worked on a few ADFS projects that have incorporated SharePoint 2007 and the number one issue that seems to always come up are the limitations in Office integration. This isn't something new; we actually experienced it in ADFSv1 and there is even a KB Article which describes which features are lost.

KB 912492 - Windows SharePoint Services and SharePoint Portal Server 2003 Support boundaries for Active Directory Federation Services

With ADFSv2, yes this KB article still applies; however you still get many of the features which operate exclusively through a web browser. Users can still download and upload files, search, and view or edit lists, etc. The problem is not within ADFS nor SharePoint; it's within the Office client which cannot process authentication cookies.

I guess the point I'm trying to make is, you have to re-evaluate the original initiative for exposing SharePoint 2007 as an Internet facing application; partner/customer integration.

From a business perspective, federating applications is much cheaper than managing VPN connections or external (partners) users not even under your domain. In many aspects, it can also be more secure. I mean, all the traffic is being communicated over SSL, right. In my experience, many ADFS customers are able to utilize SharePoint effectively just using the browser with Web SSO.

Believe it or not, this does provide benefits. First of all, IT is able to maintain strict control over what parts of their network can be accessed by partners, therefore eliminating significant problems caused by common practices of managing local accounts/passwords for partners within the DMZ. Just that reason alone reduces the attack surface for Internet facing applications. More reasons would be to,

Reduce or prevent IT overhead for password management of external users/partners.
To prevent a bad user experience when they forget their password and call their local helpdesk for help instead of the partner site they are trying to access.
Prevent the loss of user productivity when they have to request and wait for remote accounts to be created before they can start working with a federated partner.
Severe security vulnerabilities when external users are terminated by their enterprise/organization and partners do not receive notification to remove their accounts.

At the end of the day, Information Security must measure what options are readily available to keep their customers productive while still honoring security.

Learning Microsoft Identity Management

2007-06-04T01:30:00.001-07:00

The world of identity management (IdM) is very broad with many angles for misinterpretation. For those who know me, I frequently refer to identity management NOT as a product but a framework. For the past 3 years, the world of identity has been my home which has allowed me to work on some very challenging projects and do some very cool things with a variety of clients across all industries. As with many like me that enjoy the intoxication for managing the digital identity, my journey started with learning Microsoft Identity Integration Server 2003 (MIIS 2003). To this day, I get asked and I still see many questions on the forums looking for guidance on where to start researching….although there is much more documentation and resources out now, it is still kind of all scattered which can definitely frustrate the new comers. I'm going to attempt to list the key documents that provide the best details for starting off an identity and access management career. BTW – If you find this article of interest and find other documents which should be included that I may have missed, please email me and let me know.

The first step is to get a generalization of what identity management is. There are many web casts out now which may ignite the curiosity, however many are in the mists of identity chaos without even realizing it. A very good 15 page document which provides a quick and neutral introduction to IdM is, Spencer Lee's "An introduction to Identity Management."

Additionally, there are many key sites that speak on MIIS and Identity Management. Just googling "MIIS 2003," you're bound to come up on MIISExperts.org which can be considered the "Holy Grail" of MIIS sites. This site probably provides the most information next to MSDN.

The FAQs on MIISExperts.org answers the question of how do I learn IdM by doing 3 things:

Take the time to get trained.
Read the FAQs
Join the newsgroups and start lurking, or jump right in and start posting questions.

In the old days, all we had was the MMSUG newsgroup and a few technical documents; today the online resources unlock a treasure of information and it's just a matter of investing the time in learning the technology and understanding how and where to apply it. For many, the best way is attending the official course provided the by the boys from OCG. These courses are worth every penny because not only do you learn from experts in the field of IdM; they are the authors of the official curriculum and active implementers in the field. There are more course offered, however the

For on-line resources, obviously you can look to the product's homepage; however most of the key documentation probably of value to you would be in the Microsoft Identity Integration Server Technical Library. Here you'll find guidance in properly planning, designing, deploying and maintaining an MIIS implementation.

Planning and Architecture (Use this documentation set as you plan your MIIS 2003 deployment to help you design the most secure and optimal MIIS solution for your needs, initiate your project, design the system data flow, plan synchronization rules, and address configuration settings.)
Deployment (Includes information about recommended deployment scenarios for MIIS 2003 including how to upgrade from the previous versions and also solution guides that provide deployment information for uncommon scenarios)
Operations (This documentation set includes "How To" guides and other documents that provide discussions and recommended solutions for specific challenges that you encounter when using MIIS 2003.)
Technical Reference (This documentation set provides in-depth information about MIIS 2003 components, architecture, identity management process, synchronization rules, run profiles, and details about event-based and state-based identity management architectures.)
Development (Administrators and developers can create rules extensions that use the Microsoft .NET Framework. To understand the information in this Developer Reference, you must be well familiar with MIIS 2003. )

Once the foundation is set, you'll probably be extremely anxious to get this thing running to cure all your pains from the sickness of identity chaos. Well, the best way is to use the walk-troughs. This collection of documents is really good because it allows you to install and configure each function of MIIS from general identity synchronization to password management topic. After completing the scenario walkthroughs, you can proceed with the more advanced Microsoft Identity and Access Management Series 1.4. This collection provides a very true configuration for and enterprise implementation of MIIS. Additionally the sample code can be used as a reference to build your own solutions.

MIIS 2003 Scenario Walkthroughs (Download from source)

Microsoft Identity and Access Management Series 1.4

Note: For a more technical collection of documents for techniques, you should review the following functional and design documentation. This set details the essential concepts of event- and state-based architectures and the core components, architecture, identity management process, synchronization rules, and run profiles featured in MIIS 2003

Microsoft Identity Integration Server 2003 Functional and Operational Reference

MIIS 2003 Design Concepts

A summary of the design concepts typical in any MIIS implementation is addressed in these documents.

MIIS 2003 Design Concepts for Reference Attributes

This document explains how reference attributes are processed by MIIS 2003 for direct attribute mapping scenarios and provides a conceptual explanation of a custom solution for advanced mapped reference attributes. It also includes design recommendations for both direct and advanced mapped attributes.
MIIS 2003 Design Concepts for Correlating Digital Identities

This document discusses considerations for mapping attributes across different identities and configuring joins based on your business requirements. It introduces the concept of Correlation ID and explains how you can deploy a Correlation ID to establish strong object relationships in your identity integration solution.
MIIS 2003 Design Concepts for Implementing IFunctions

This document introduces the concept of object-level identity functions (IFunctions) in an identity integration scenario, discusses possible implementation options, and also provides implementation recommendations.
MIIS 2003 Design Concepts for Implementing Reverse Joins

This document discusses some of the common reverse join implementation approaches for synchronizing identity objects in MIIS 2003. It provides two solutions for implementing reverse joins- reverse joins based on Transient management agents and reverse joins based on Auxiliary management agents.
MIIS 2003 Design Concepts for Advanced Solution Components

In this document, you will learn about "process-level attributes" and "conditional metaverse objects" to improve the convergence efficiency of the identity integration process, and how you can use "operational management agents" to isolate metaverse objects requiring special attention. The "auxiliary management agents" section discusses how you can implement a custom reprocessing solution.

Once you've become proficient in MIIS, of course there's a learning path for this profession. It's always been my belief that although Identity Management is typically used to support application authentication and authorization, it's heavily influences and complements the security of any infrastructure. Microsoft recently published the learning paths for each practice as seen in the attached link. Additionally, this link contains all the on-demand web casts published for Identity and Access Management.

Now that you're a pro at identity management, join the newsgroups and start contributing to the communities!

Because the identity management is still evolving, there is still a lot of information to learn. This technology is like a living creature that grows as fast as innovations permits it. The upcoming versions ILM 2007 and ILM"2" are the future. Jump on board and train of evolution and hang on, because you're going to be in for a ride!

Evolving further into Identity Lifecycle Management (Automated Identity and Access Management)

Identity Lifecycle Management Information Protection Federated Identity Strong Authentication Directory Services